Online-voting company pushes to make it harder for researchers to find security flaws

This story is part of Elections 2020, CNET’s coverage of the run-up to voting in November.

Cybersecurity experts and lawmakers have little faith in online voting, thanks to the high potential for hacks, as well as worries about vulnerabilities, either of which could affect an election’s outcome. Security researchers often find flaws with online-voting systems, and now an e-voting company is pushing to make it more difficult to find vulnerabilities.

In a briefing filed to the Supreme Court on Thursday, Voatz, a Boston-based e-voting company, argues that security researchers shouldn’t have legal protections when looking for flaws without permission.

For more like this

“Allowing for unauthorized research taking the form of hacks/attacks on live systems would lead to uncertain and often faulty results and conclusions, makes distinguishing between true researchers and malicious hackers difficult, and unnecessarily burdens the mandate of the nation’s critical infrastructure,” Voatz said in a statement to CNET.

Voatz has argued against security researchers who found issues with its mobile-voting software, which is used in 11 states. In February, Voatz disputed the findings of MIT researchers, who said the e-voting platform was riddled with security flaws.

“By conducting their activities on an unauthorized basis rather than through Voatz authorized bug bounty program or direct collaboration with Voatz, the researchers rendered their own findings relatively useless,” the company said in its briefing on Thursday.

Last October, Voatz also reported a University of Michigan election-security student to West Virginia officials, who turned the investigation over to the FBI. The student had been enrolled in a course that required looking at potential flaws on mobile-voting technology, which included Voatz, according to CNN.

Security researchers always run the risk of violating the Computer Fraud and Abuse Act (CFAA), a law created in 1986 with a broad definition of what’s considered hacking. The law considers any intentional access to a computer without authorization to be a federal crime. It’s broad enough that sharing a Netflix password could be considered a CFAA violation.

In April, the Supreme Court agreed to hear Van Buren v. United States, a case that centers on what can be considered a CFAA violation. Voatz filing was made as a friend of the court brief in that case.

Security researchers want the Supreme Court to consider their work protected from the CFAA.

“Almost by its nature, discovering security vulnerabilities requires accessing computers in a manner unanticipated by computer owners, frequently in contravention of the owners’ stated policies,” a July 8 briefing from a group of security researchers wrote.

Security researchers find and report vulnerabilities on critical infrastructure, including voting machines. The work is so vital that officials from the Department of Homeland Security invited hackers to continue finding flaws on election infrastructure.

For years, voting machine vendors had been apprehensive about the process, raising concerns about hackers finding issues with their software without proper permission. In August, major election vendor ES&S started allowing for penetration testing on its machines.

In its brief, Voatz made clear it didn’t agree with that direction.

The company argues that the Supreme Court will create a loophole for malicious hackers to carry out attacks if it allows security researchers to test for vulnerabilities without authorization.

“This would undoubtedly result in a significant increase in such unauthorized hacking,” Voatz said in its briefing.

Security researchers warn that if they’re allowed to find and disclose flaws only with explicit permission from the companies involved, malicious hackers, who are undeterred by laws, will exploit this knowledge gap.

“To elaborate, if there’s a method of exploiting the system that the organization is unaware of, they cannot possibly provide legal access to test it,” Bugcrowd founder Casey Ellis said in a statement. “Unauthorized access is one of the main purposes of security research — by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win.”

Jake Williams, founder of the security firm Rendition Security, pointed out that there’s a difference between vulnerability disclosure and discovery.

Though both security researchers and malicious hackers work without authorization, only security researchers are properly disclosing these flaws to the companies involved. Malicious hackers will discover vulnerabilities and often use them for financial gain, without ever informing the companies, he said.

Voatz’s argument on Thursday, he added, would adversely change that.

“The vast majority of researchers, I’d say 90% plus, are not authorized,” Williams said. “They are 100% trying to make it more difficult, there’s no doubt about that.”

Originally published at https://www.cnet.com on September 3, 2020.